Advanced Smartphone Forensics

It is rare to conduct a digital forensic investigation that does not include a smartphone or mobile device. Often, the smartphone may be the only source of digital evidence tracing an individual's movements and motives and may provide access to the who, what, when, where, why, and how behind a case. FOR585 teaches real-life, hands-on skills that enable digital forensic examiners, law enforcement officers, and information security professionals to handle investigations involving even the most complex smartphones available today.

FOR585: Advanced Smartphone Forensics focuses on smartphones as sources of evidence, providing the necessary skills to handle mobile devices in a forensically sound manner, understand the different technologies, discover malware, and analyze the results for use in digital investigations by diving deeper into the file systems of each smartphone. Students will be able to obtain actionable intelligence and recover and analyze data that commercial tools often miss for use in internal investigations, criminal and civil litigation, and security breach cases. Do not miss the NEW FOR585!

The hands-on exercises in this class cover the best tools currently available to conduct smartphone and mobile device forensics, and provide detailed instructions on how to manually decode data tools sometimes overlook. The course will prepare you to recover and reconstruct events relating to illegal or unauthorized activities, determine if a smartphone has been compromised with malware or spyware, and provide your organization the capability to use evidence from smartphones. This intensive six-day course will take your mobile device forensics knowledge and abilities to the next level. Smartphone technologies are new and the data formats are unfamiliar to most forensic professionals. It is time to get smarter!

Smartphone Capabilities: Determine the who, what, when, where, why, and how! Who used a smartphone? What did the user do on a smartphone? Where was the smartphone located at key times? What online activities did the user conduct using a smartphone?

Course Syllabus

FOR585.1: Smartphone Overview and Malware Forensics

Overview

Focus: Although smartphone forensic concepts are similar to those in digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. Today you will apply what you already know to smartphone forensic handling, device capabilities, acquisition methods, and data encoding concepts of smartphone components. You will also become familiar with the forensic tools required to complete comprehensive examinations of smartphone data structures. Malware affects a plethora of smartphone devices. This section will examine various types of malware, how it exists on smartphones, and how to identify it.

The existence of malware on smartphones is a reality that all examiners today must address. Often, the only question relating to an investigation may be "was this smartphone compromised, how, and what can you do to fix it?" It is important for examiners to understand malware and how to identify its existence on the smartphone.

Smartphones will be introduced and defined to set our expectations for what we can recover using digital forensic methodologies. We review the properties of Flash memory in mobile devices and demonstrate the pros and cons from a forensic perspective. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged and devices. You will learn how to process and decode data on mobile devices from a forensic perspective, and you will learn tactics to recover information that even forensic tools may not always be able to retrieve.

The SIFT Workstation has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.

FOR585.2: Android Forensics

Overview

Focus: Android devices are among the most widely used smartphones in the world, which means they will surely be part of an investigation that will come across your desk. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. Without honing the appropriate skills for bypassing locked Androids and correctly interpreting the data stored on the devices, you will be unprepared for the rapidly evolving world of smartphone forensics.

Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. We delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.

During hands-on exercises, you will use smartphone forensics tools to extract, decode, and analyze a wide variety of information from Android devices.

Exercises

Manually decoding and extracting of information from Android File Systems and logical acquisitions.

FOR585.3: IOS Forensics

Overview

Focus: Apple iOS devices are no longer restricted to the United States, but are in use worldwide. iOS devices contain substantial amounts of data, including deleted records, that can be decoded and interpreted into useful information. Proper handling and parsing skills are required for bypassing locked iOS devices and correctly interpreting the data. Without the iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.

Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. Encryption, decryption, file parsing, and traces of user activities are covered in detail.

During hands-on exercises, you will use smartphone forensics tools to extract and analyze a wide variety of information from iOS devices. You will also be required to manually decode data that were deleted or are unrecoverable using smartphone forensics tools.

Exercises

Manually decoding and extracting information from iOS File System and logical acquisitions.

FOR585.4: Backup File and Blackberry Forenics

Overview

FOCUS: Blackberry smartphones are designed to protect user privacy, but techniques taught in this section will enable the investigator to go beyond what the tools decode and manually recover data residing in database files of the file system of Blackberry devices. Backup files are commonly found on external media and can be the only forensic acquisition method for newer iOS devices that are locked. Learning how to access and parse data from encrypted backup files may be the only lead to smartphone data relating to your investigation.

Forensic examiners must understand the concept of interpreting and analyzing the information on Blackberry smartphones, and they need to understand the limitations of existing methods for extracting data from these devices. This section covers how to handle encryption issues, Blackberry Enterprise Server data, and locked devices. Manual decoding of Blackberry data will provide access to a vast amount of data that forensic tools seem to miss.

Both Blackberry and iOS backup files are commonly a part of digital forensic investigations. This section provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images.

During hands-on exercises, you will use smartphone forensic tools to extract and analyze a wide variety of information from Blackberry devices and iOS and Blackberry backup files. You will be required to manually decode data that were encrypted or deleted, or that are unrecoverable using smartphone forensic tools.

Overview

FOCUS: Given the prevalence of other types of smartphones around the world, it is critical for examiners to develop a foundation of understanding about data storage on multiple devices. Nokia smartphones running the Symbian operating system may no longer be manufactured, but it does not mean that they do not exist in the wild. You must acquire skills for handling and parsing data from uncommon smartphone devices. This day of instruction will prepare you to deal with "misfit" smartphone devices and provide you with advanced methods for decoding data stored in third-party applications across all smartphones.

This day will cover other smartphone devices such as Nokia (Symbian), Chinese knock-offs and Windows Phones. These devices retain information about user activities that can be relevant in a digital investigation, including e-mail, Web browsing, user-created files, and registry entries. We will cover techniques for parsing common data structures on these smartphone devices and recovering deleted items.

During hands-on exercises, you will use smartphone forensics tools to extract and analyze a wide variety of information from a Chinese knock-off phone. You will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools. The third-party application hands-on exercise will be a compilation of everything you learned over the past five days and will require the manual decoding of third-party application data from multiple smartphones.

Exercises

Advanced third-party application exercise requiring the student to implement honed skills from the first five days to manually decode communication stored in third-party application files across multiple smartphones.

A Nokia lab requiring manual parsing and identification of devices based upon file system dumps from multiple devices. This lab should challenge the student to put together several concepts learned during the week.

Bonus Lab - Decoding and recovering a passcode from a locked Android acquired using JTAG/chip-off methodologies.

CPE/CMU Credits: 6

Topics

Third-Party Applications on Smartphones Overview

Common Applications Across Smartphones

Third-Party Application Locations on Smartphones

How to Locate

Data Format

Decoding Third-Party Application Data on Smartphones

Manual Recovery

Decoding Methods

Knock-off Phone Forensics

Knock-off Phone Overview

Forensic Analysis

Evidentiary Locations

Manual Decoding of Knock-off File System Data

Nokia (Symbian) Forensics

Symbian Features Overview

Evidentiary Locations

Windows Phone/Mobile Forensics

Overview of Windows Phone/Mobile

Evidentiary Locations

JTAG (Bonus Section)

An introduction to JTAG methods using the RIFF Box

FOR585.6: Smartphone Forensic Capstone

Overview

FOCUS: This section will test all that you have learned during this week. In small groups, you will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.

Each group will present its findings to the class. This will test your understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind your investigative steps. An executive summary of findings is expected.

Exercises

Each group will be asked to answer the following key questions during the capstone exercise, just as they would during a real-world digital investigation:

Additional Information

Laptop Required

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

A properly configured 64-bit system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any version 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10.0 or VMware Fusion 6.0 or VMware Player 6.0 on your system prior to beginning the class. (Note: This is required to prevent issues with USB 3.0 ports.) If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

MANDATORY FOR585 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)

Bring the proper system hardware (64bit/8GB RAM) and operating system configuration

Install VMware (Workstation, Player, or Fusion), MS Office and 7Zip

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

FOR585 - Advanced Smartphone Forensics is designed for students who are both new to and experienced with mobile device forensics. The course provides the core knowledge and hands-on skills that a Digital Forensic Investigator needs to process smartphones and other mobile devices. The course is a must for:

Experienced Digital Forensic Analysts who want to extend their knowledge and experience to forensic analysis of mobile devices, especially smartphones.

Media Exploitation Analysts who need to master Tactical Exploitation or Document and Media Exploitation (DOMEX) operations on smartphones and mobile devices by learning how individuals used their smartphones, who they communicated with, and files they accessed.

IT Auditors who want to learn how smartphones can expose sensitive information.

SANS SEC575, FOR563, FOR408, and FOR508 Graduates looking to take their skills to the next level.

Prerequisites

FOR585 Advanced Smartphone and Mobile Device Forensics has something to offer everyone. While FOR408 is not required prior to taking this course, a basic understanding of digital forensic file structures will help the student grasp topics that are more advanced. FOR585 covers advanced topics that should enhance all skill sets of those in and interested in digital forensics.

What You Will Receive

SIFT Workstation - Smartphone Version Windows Virtual Machine used with all class hands-on exercises. The workstation is used to teach digital forensic examiners and incident responders how to examine and investigate information on smartphones. SIFT contains free and open source tools, easily matching any modern forensic tool suite.

Windows 8 Standard License

Oxygen Forensic Educational License

Microsystemation XRY Demo License

Cellebrite Physical Analyzer Demo License

Course USB loaded with case examples, exercises, and documentation

You Will Be Able To

FOR585 will prepare you to:

Extract and use information from smartphones and mobile devices, including Android, iOS, Blackberry, Windows Phone, Symbian and Chinese knock-off devices

Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (who communicated with whom, locations at particular times)

Decrypt locked backup file and bypass smartphone locks

Apply the knowledge you acquire during the six days to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations

Press & Reviews

"I think anyone that claims to be a mobile device "expert" should be required to take this course. Not knowing this information has severely hindered investigations in our lab!!!"

"If you want to prepare the inevitable considering taking FOR585."

"This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!" Scott McNamee DoS/CACI

"As an experienced user of the tools, I found FOR585 very instructional on how an dwhy these tools give the results they do during an examination." - SA Charles Cox, FBI CART

"FOR585 is the best out there." - Andy Nind, British Army

"What didn't I find?" That is one of the most relevant questions in any forensic examination. By just running forensic tools, even multiple tools, you still can't answer that simple question. SANS 585 doesn't just teach you how to examine a device in specific tools, it teaches you the mindset of examining mobile devices. It is a constant reminder that an examiner needs to know what to look for, not just where to click. For those new to mobile forensics, it is a fantastic starting point that will help examiners transition into non-computer forensics. For those with previous mobile device experience it can reveal what tools and other methods may have missed when examining different families of mobile devices."-SANS FOR585 Student

"This course is worth it even for a novice like myself." S. Gentry - Adobe

"This course was very high quality training that provided exactly what was advertised!" C. McCollom - Clark County Sheriff's Office

"Very informative - especially Malware." - S. - MOD

"This was an awesome class! Amazing amount of material and the capstone tied it all together." D. Mayer - Broomsfield PD

"Heather is a great instructor. The only downside will be not being able to bring her back to my office so we can pick her brain every day!" C. McCollom - Clark County Sheriff's Office

"Great BlackBerry lab. I have never dug this deep in a BlackBerry before." D. Mayer - Broomsfield PD

"I finally know what I have been missing! I didn't know I was ignorant." - Mark G - DoJ

"Great Labs." - Multiple students

"I've received more useful information in just one day of the course than I have completing other mobile device training."

"Great instruction on manual decoding. I've been relying on a tool and now I know what I am missing." - Student

Author Statement

"Digital forensic investigations usually involve a smartphone or mobile device. Often, the smartphone is the only form of digital evidence relating to the investigation. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. FOR585: Advanced Smartphone Forensics provides the required knowledge to beginners in mobile device forensics and mobile device experts. This course has something to offer everyone!" -Heather Mahalik

"One thing is clear no matter whether you work in law enforcement or the private sector: the importance of evidence obtained from smartphones and other mobile devices has become crucial to all kinds of investigations. Solid foundational knowledge, skills, and techniques in mobile device forensics are no longer optional. Developed by passionate practitioners with a high level of experience in the field, FOR585: Advanced Smartphone Forensics provides those elements you need to succeed in your investigations and thrive in the rapidly changing mobile device forensics environment." -Cindy Murphy

"Eighty-five percent of the world's population today has a mobile phone. In the U.S. alone, almost half of these devices are smart phones. The tools and techniques for acquiring and analyzing these devices are changing every day. As the handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Advanced Smartphone Forensics will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve!" -Domenica Crognale